Microsoft® Security Update (Out of Band)

CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability – Critical

Published: December 19, 2018

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

For more details and a full list of affected systems, click here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653

If you have any questions please contact Customer Success.

Microsoft® Remote Desktop Services Security Update - Potential Compatibility Issue

Published: June 4, 2018

Microsoft has recently released a security update for a vulnerability in Remote Desktop Services(RDS). It has been reported that if two machines do not have the same RDS patch install level, an incompatibility issue between them can prevent log in.

This RDS update has been released through the standard Windows Update distribution channels and will be installed to those machines taking the standard monthly Windows Updates.

The RDS security update details are here:

CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

Vital Images strongly recommends installing these latest security patches comprehensively to all product systems to avoid this issue.

If you have any questions, please contact Customer Success.

Microsoft® Security Update I Critical

CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability

CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability

Published: May 8, 2018

Microsoft has announced and released its standard monthly security roll-up for May 2018. In it are critical updates for two vulnerabilities that were considered zero-day status until this release. These two specific vulnerabilities are unique in that they are currently being exploited in the wild. In addition, it is noteworthy that there are twenty-one (21) other critical vulnerabilities remedied in this update. As a result, Vital Images strongly recommends to install these latest security patches to all product systems as soon as possible.

At this time no Vital Images customers have reported exploitations involving these two vulnerabilities.

For more details and a full list of affected systems, click here:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120

If you have any questions please contact Customer Success.

Microsoft® Security Update (Out of Band)

CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability

Published: March 29, 2018

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

For more details and a full list of affected systems, click here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038

If you have any questions please contact Customer Success.

Adobe Security Advisory APSA18-01

Published February 1, 2018

A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

A full summary containing current mitigations, affected products and plans for patching can be accessed here: https://helpx.adobe.com/security/products/flash-player/apsa18-01.html

Adobe will address this vulnerability in a release planned for the week of February 5.

For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.

Please refer to this Software Security Updates page for the latest information from Vital and contact Customer Success if you have any questions.

Customer Success Alert

Meltdown and Spectre Side-Channel Vulnerabilities

The United States Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, has released the following alert regarding the security vulnerabilities “Meltdown and Spectre.” The formal source for this alert is hosted here: US-CERT: Meltdown and Spectre Side-Channel Vulnerabilities.

Original release date: January 03, 2018

“US-CERT is aware of a set of security vulnerabilities – known as Meltdown and Spectre – that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Users and administrators are encouraged to review Vulnerability Note VU#584653, Microsoft’s Advisory, and Mozilla’s blog post for additional information and refer to their OS vendor for appropriate patches.

US-CERT is not aware of any active exploitation at this time and will provide additional information as it becomes available.”

This is a broad-based set of vulnerabilities that requires security patching from many contributors (e.g., hardware vendors, Microsoft, VMWare, etc.) for complete remediation. The Intel chipsets that Vital’s software runs upon are directly affected by this finding.

US-CERT advises that the changes to accommodate/remediate this issue could impact one or more of our applications. As patches become available, we will test our applications in their context and provide our customers with any specific cautions or additional instruction.

Please refer to this Software Security Updates page for the latest information from Vital and contact Customer Success if you have any questions.

Microsoft® Security Advisory 4010323

Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11

Published: May 9, 2017

Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates. For more information, please see Windows Enforcement of SHA1 Certificates.

For more details and a full list of affected systems, click here: https://technet.microsoft.com/en-us/library/security/4010323

If you have any questions please contact Customer Success.

Microsoft® Security Bulletin (MS17-010) - Critical

Vital Images strongly recommends installing the latest security updates from Microsoft as soon as they are made available.

Vital Images recommends applying MS17-010 to all your Vitrea platforms to protect against the WannaCry malware.

  • VitreaAdvanced / Vitrea® Advanced Visualization
    • enterprise deployment
    • Vitrea Workstation or workstation deployment
    • Vitrea Extend or extend deployment
  • Vitrea View
  • Vitality XT

If you cannot download the Windows update the Workaround can also be found in the link below to protect the system(s).

For more information see the Microsoft Security Bulletin MS17-010 – Critical.  If you have any questions please contact Customer Success.

Vitrea Advanced Running VMware Tools

Version in NGC/C# Client Version in Tools Info Screen Result
9541 9.10.5 – 2981885 NOT RECOMMENDED
10240 10.0.0 – 3000743 NOT RECOMMENDED

Vital Images recommends deploying a version of VMware Tools on Vitrea Advanced servers that does not result in this behavior. The table below shows the currently recommended versions.

Version in NGC/C# Client Version in Tools Info Screen Result
9536 9.10.0 – 2476743 OK
9537 9.10.1 – 2791197 OK
10245 10.0.5 – 3227872 OK

Adobe® Reader® for Windows®

Adobe has released a critical security bulletin and related security updates for Adobe Reader for Windows. Vital recommends users update their product installations to the latest versions.

  • Users of Adobe Reader XI (11.0.20) and earlier versions should update to version 11.0.21.
  • Users of Adobe Reader DC Classic (2015.006.30306) and earlier versions should update to version 2015.006.30352.

For more information, see the Adobe Security Bulletin released on January 10, 2017 and recently updated via CVE-2017-3124.

To upgrade Adobe Reader, downloads can be found here.

All third party marks are property of their respective owners and have protection in the United States and/or other countries.

Adobe® Flash® for Windows®

Adobe has released security updates for Adobe Flash for Windows. Vital recommends users who have installed Adobe Flash to view Help and Training videos update their product installations to the latest versions. Vital Images does not distribute Adobe Flash but it can be used with the Vital products.

  • Users of the Adobe Flash Player for Windows should update to Adobe Flash Player 18.0.0.209.


For more information, see the Adobe Security Bulletin released on July 14, 2015. This vulnerability is also known as ActionScript 3 opaqueBackground and BitmapData classes of Flash Player Exploitation CVE-2015-5122CVE-2015-5123.

If you wish to upgrade Adobe Flash the latest update downloads can be found here.

Microsoft® Windows® Update MS15-061 - KB3057839

Vital uncovered an issue with the Microsoft Windows Update MS15-061 – KB3057839 that was released on June 9, 2015. If this Microsoft Update is applied to the Microsoft operating system, Vitrea® reports will be blacked out when exported to a DICOM endpoint.

Vital is working directly with Microsoft to resolve the problem.

This patch affects all versions of Vitrea deployments on Windows Server® 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, and Windows 7 SP1.

Removing this Microsoft update or preventing this update’s installation will allow Vitrea reports to export as expected.

Vital Support

Please contact Vital Customer Support with any questions or variations experienced with this issue.

Microsoft Technical Information

Microsoft® 0 Day Patch

On April 26, 2014 Microsoft announced a high impact vulnerability that affects Internet Explorer versions 6 through 11. This vulnerability could allow remote code execution on any system that is using these versions of Internet Explorer. On May 1, Microsoft released a patch that fixes this exposure.

Vital has tested the patch to this vulnerability and confirmed that installing the patch does not negatively impact any Vitrea® products.

Vital strongly recommends that all organizations apply this patch as soon as possible to all systems running any Vitrea software.

References:
Microsoft Security Advisory 2963983 – https://technet.microsoft.com/library/security/2963983
National Vulnerability Database – http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1776

Heartbleed Virus

Vital has tested our Vitrea® software and confirmed that we are not affected by the Heartbleed virus.

If you have any questions on either of these issues, please call Vital Customer Support at support@vitalimages.com or 800.208.3005.


Microsoft
®, Windows® and Microsoft Windows Server® are registered trademarks of Microsoft Corporation.

Adobe®, Flash® and Reader® are registered trademarks of Adobe Systems Incorporated.

Vital is a trademark of Vital Images, Inc. Marks not owned by Vital Images, Inc. are the property of their respective holders.